Speeding In Maryland Could Be Hazardous to Your Identity

If you've ever received a traffic ticket in Maryland, your name, birthday, Social Security number and address may be posted on the Maryland state Web site for anyone to find, Security Fix has learned.

Reader Mark Webster from Annandale, Va., alerted me that the official Maryland court records Web site lists the personal data of countless citizens. The citations listed go back more than 30 years, and include records even for routine traffic stops that were ultimately dismissed.

The records with sensitive data in them appear to be limited to tickets issued to people who currently or at one time lived in a state that previously used the Social Security number as the default driver's license or customer number.

Searching through records in the database for tickets issued to surnames "Johnson" and "Smith" confirmed that those states include Delaware, Connecticut, Iowa, Missouri and Virginia. Probably close to half of the records that contained SSNs belonged to current and former District of Columbia residents.

I also found records for tickets issued to residents of Georgia, Louisiana, New York, Rhode Island, and South Carolina that included nine-digit numbers next to the "drivers license:" field, but I was unable to verify if those were SSNs.

Jason King, spokesman for the American Association of Motor Vehicle Administrators, said all 50 states and the District have ceased printing SSNs on driver's licenses, although drivers in some states -- particularly Virginia -- may still have valid licenses that have the number printed on them.

I should note that just because you received a ticket in Maryland doesn't mean the citation or your personal information is automatically up on the site. While researching this piece, I talked to several people who said they had been cited for speeding or other traffic offenses in Maryland but who could not find a record of the offense in the state's online database.

Hugh Williams, administrator of the Maryland AG's Identity Theft Program, said he was recently made aware of the personal data on the state's site after hearing from a Virginia woman who was upset that her SSN and other data were listed online. Williams referred her to the clerk of the court, which told her while she could submit a formal, written request that the documents be removed from the state's Web site, the state was under no obligation to honor that request.

"They pretty much told her that court records are a matter of public record in Maryland, so they can't redact anything," Williams said. "A lot of the laws regarding this kind of information were written well before [popular use of] the Web and awareness about identity theft."

People whose information is listed on the site shouldn't expect a data breach notice from the Maryland government. If a Maryland business had published these records online, they'd be required by state law to notify affected citizens, however, the state's data breach notification law exempts government entities from that requirement.

Maryland Del. Susan C. Lee (D), who represents the state's 16th District and recently co-chaired an identity theft task force, was unaware that personal data from traffic citations was available on the state's site. She said she would consider introducing legislation next year to correct the problem (the state's legislative session ended in April).

"We need to do something to correct this, even for out-of-staters" Lee said. "We're supposed to make government work for people, not make it worse for them or to complicate their lives."

I was amazed that so few people I spoke with in the Maryland government were aware that this information was available on the state's Web site. Earlier this year, The Washington Post ran a front page story highlighting the availability of such records on state Web sites. The story led with the revelation that Maryland Attorney General Douglas Gansler's SSN was among those listed on the state's Web site.

How about you, dear Security Fix readers? Are your records listed in this database? Does your home state similarly list sensitive records online? Send me an e-mail or sound off in the comments section below.

I fully expected this comment, and am sort of glad (but not surprised) that it came as the very first one.

Do you think that security by obscurity is an effective approach? Do you imagine for a moment that identity thieves don't already mine state databases like this one? Do you really believe that my column is going to turn otherwise law abiding citizens toward ID theft? What if YOUR information was available on this Web site? Wouldn't you want to know about it?

Like it or not, the *only* way to make this kind of bone-headed practice go away is to shine a spotlight on it.

This is great information, thank you for exposing this and I hope that the State of Maryland does more than "consider introducing legislation next year to correct the problem". This needs to be corrected immediately.

We wrote in our blog (http://www.everycall.us/blog) and referenced your story to inform our readers as well.

Wow, Krebs... feeling defensive today? You know that information will be up on that website for at least a year before the Lege can pass a law (if it passes) to have it removed. So, until then, this massive portal to personal information is open for business.

Oh, and by the way, if your information is on the website, you have no way to remove it.

Your "spotlight" illuminated the vulnerability of thousands of identities that cannot be protected. You wanted the story, so you printed it. I am fairly certain you understood before you posted it that your story might cause serious financial and emotional injury to thousands of innocent people. You did what you did for selfish reasons, that much is obvious. Attempting to claim you did it for the good of everyone else is, well... suspect at best.

Regarding traffic tickets: It appears to me that the records appear online only if there is a court appearance, secondary court filing, or secondary event beyond the traffic stop (failure to appear). I didn't see any cases that indicated that someone just mailed in a check....

You act like this has been some giant "secret" that was suddenly unearthed. Seriously, Mr. Krebs did not pull back the curtain on information that anyone with 3 brain cells and Google hasn't already found, cataloged, and indexed.

Zilla you sound like a bloody douche nozzle of a person who is so full of ignorance on the topics he attempts to spew that it is down right comedy.

So i suggest you go back to your little right wing blogoscope where everything you spew is right no matter what reality dictates. Krebs did people a favor by pointing out this issue, he even stated its not a new issue in the post. So how is that you are acting like this is a new vulnerability or source for PI? For gods sakes im sure if you checked the logs of those servers you would see all sorts of fun IP's connecting to them scraping data from their data bases.

Your Fabulous Mr. Krebs was kind enough to post a link to the web site where one can gain access to thousands of unprotected social security numbers. I found that little personal touch especially moving... and irresponsible.

Yes, I am fully aware criminals dredge the net daily looking for exactly this type of security oversight regarding personal information. However, Krebs exposed this oversight to the entire world. This act is especially egregious since the people at risk have not way of protecting themselves. He did not shine his "spotlight" on an isolated security breach, he shined it on a giant bucket full of all-you-can-eat identities.

Come on, Chuck. Let your own mind guide your thoughts. Use a little common sense, Chuckie. Krebs is selling stories with no regard for who he injures in the process. A formal letter from his editor to the Lege or even the clerk in charge of the posted information would have been every bit as effective as this pseudo-expose.

Chuckie, if you found the social security numbers of all your friends and family posted on a billboard in your hometown, would you post that fact, along with a map of how to find the offending billboard, on the Internet? Or, would you begin work to have it taken down as quickly and quietly as possible? Well, guess what? Krebs found the social security numbers of thousands people on a digital billboard and posted instructions for how to find them on the Internet.

I have had 3 tickets in Maryland in the last 15 years, none of them are there. I think that Towson is correct and that simply paying by mail may be enough to keep your information out of the database. That is what I did with my tickets.

There are many ways to protect ones identity after exposure. You can be angry at Brian all you want for making this *more* publically known. What I don't get is your complete lack of outrage at a state government that has had this information posted (and might I add, mined and abused) for years. Not even a raised eyebrow from you over a legislator saying "Oh, I'll introduce some bill next year to deal with it."?? Next year? You don't care?

Guess what, if Brian hadn't said anything about it, you'd still be wandering around in your little self-righteous cocoon, ignorant of the fact that 90% of what gets posted in security news gets posted after the cat is out of the bag inside the industry, and with the darker side of the net.

And actually, if my friends and family had thie rinformation posted to a billboard I would take proper action. If it was released by an incompentant government official, I sure as heck wouldn't be pissed at the guy who pointed the sign out at me, I'd focus my outrage at the individuals responsible for making that information public to begin with.

Before we get distracted by personal attacks on BKrebs, why don't we instead focus on the issue at hand here?

Identity theft today is a BIG (and common) problem. That the government - local, state, and federal - continues to encourage individuals to protect themselves from identity theft, to secure and be careful with their SS#, etc, and yet continues to fail to protect our information stored within their databases is appalling. Consumers today must be aware of where their information is, how it is being used, and if it is secure. What's more, individuals are better off knowing when they might be at risk- BKrebs is alerting some here - so that they can take steps to prevent identity theft BEFORE it happens or quickly resolve theft/fraud before it gets bad.

The SSNs are the DL numbers in some states. Click on the case number and follow it to the disposition. If the defendant's DL number is the same as his SSN, you have a valid SSN, name, address and DOB. Enough to open up a bunch of free credit cards online, apply for a fake driver's license or even a passport.

Referee -- The only one so far in this comment thread who's being inconsistent about their identity is you. So far, a person from your IP has posted in this thread as "Zilla," "Referee", and "Done with Krebs." Care to add a fourth identity?

Zilla (I'll refer to you by that since it's the first name you used)-
Do you also have a problem with bloggers who expose holes in the software we use every day, since it may tip off crackers that an opportunity exists? Having this problem exposed will cause it to be fixed. Furthermore, anyone who wants to steal your identity from public records can do so; it's a public record, they can get it. If you have a traffic ticket from back when your SNN was your DL number, it's in a database somewhere.

If you discovered a flaw that allowed someone's personal data to be released, would you release the flaw so it can be fixed, or would you sell it to the highest bidder?

I for one am quite glad to know this is up there. This lets me know if my information is there (at first I thought I saw me, but it was actually different people with the exact same name at the exact same court for traffic violations!). If I had found my info, I could get ID theft protection or some such BEFORE an incident happened, since the ID thieves probably already knew about these records and now I would be able to protect myself. You have to assume bad people already know this stuff way before any of us hear about it, and when we hear about it we at least get a chance to prepare.

For the record, I was in court several years ago for a traffic violation which was dismissed (the officer did not show up) and that's not in the database. Also, I got a ticket for another traffic violation a couple years later which I paid by mail and that does not show up either. I guess I'm lucky!

I gather that the website is an official state of Maryland creation that the legislature authorized. But do affected citizens really have to wait until next year's session for new remedial laws to correct this hazardous state of affairs?
Years ago in California, your auto registration had to be in open view, until the near-fatal attack on an actress by a stalker occurred. Law or no law, drivers began taking them out of public view until new legislation changed the public viewing of the info.
The MD website information cannot be redacted by the affected individual. But after reading the article, phrases like "arbitrary and capricious" and "equal protection of the law" come to mind, since where and when your license was issued and how the matter was processed and adjudicated may or may not have resulted in such info being posted. If this had happened in CA, someone would have sought an immediate restraining order redacting the sensitive info until the legislature corrected the problem.

Yeah I have known about this for a while, and have always found it atrocious. SSNs or no, personal court records should be available to the public, but not pseudo-anonymously over the internet. This is a big fail for MD. Several members of my family have their cases up there, you can also look up criminal histories in MD. This stuff should be offline, and searchers should have to identify themselves and at least state a purpose for researching it.

"The records with sensitive data in them appear to be limited to tickets issued to people who currently or at one time lived in a state that previously used the Social Security number as the default driver's license or customer number."

There is no SSN field, only a DL# field that some states used to use SSN's for.

Also, I recently had a speeding ticket in which I simply mailed in a check--and it IS on the website.

"Referee -- The only one so far in this comment thread who's being inconsistent about their identity is you. So far, a person from your IP has posted in this thread as "Zilla," "Referee", and "Done with Krebs." Care to add a fourth identity?" - hahaha!

zilla is a coward and probably angry this was blogged because he is an identity thief (he sure seems to have a problem with his own identity).

and i have to say that i agree with tom martin for the most part. this stuff is important enough to make the paper as well.

As a computer geek, I can tell you that this is a common reaction about security issues. Big companies, in particular, get very hot when a security researcher publishes information about a vulnerability. But they're angry about disclosure, not because it increases use of the exploit, but because it's bad advertising.

It's equally silly to blame BKrebs for writing about a threat. Does anyone honestly believe that an identity thief reads the Post to find out where to get material? There are plenty of boards, blogs, rooms, and sites that are much richer sources.

I think you nailed it RW: I am amazed at how many people respond to this thinking that this posting will teach criminals how to access this information. The criminals already know how to get it, and by posting this, all that happens is that honest people now know one more place to look to protect themselves (and hopefully convince our government to do something to fix the problem).

There is so much pent up anger in your comments. I guess my role as provocateur has pushed some of you too close to the edge. Now, take a deep breath and read on... you're going to love this.

First, to whomever "outed" me. Good work. It was just too much fun to antagonize the type of people who think so highly of their own self-centric views and opinions and are too narrow-minded to consider the fate of the potential victims of this now over-exposed portal.

Second, to all those people whose personal information is listed on that site, but will never read this impotent little article, I am truly sorry Mr. Krebs made your vulnerability public knowledge on a global scale.

Third, just out of curiosity. Am I a liberal or a conservative for being the only person on this entire forum who is concerned for the potential victims and not myself?

Fourth, all I do is help victims recover from identity theft. So, naturally, my views are from the victims' vantage point. To all you "security specialists" out there who are working to lock down our digitized personal information, thanks... keep up the good work. To those of you in the media who are so hard up for a story you are willing to put others at risk, in any way... well, you'll get yours in the end.

Fifth, I agree that whistle blowing can be a very effective way to correct known issues in both the public and private sectors. However, when blowing the whistle creates the exact situation you hope to avoid by blowing the whistle in the first place... what's the point. Maybe there is a better way. To all you Krebbies out there, like it or not... he blew it with this one.

Sixth, whether you are an over-zealous security consultant, an arrogant reporter or an identity theft victim, if you haven't put a security freeze (not a fraud alert) on your credit files, you are much more vulnerable to financial identity theft than you need to be. You should stop reading boring forums like this one and start the security freeze process now... right now. Stop reading and go freeze your files before it is too late.

Seventh, it would have been thoughtful of Krebs to put a link to an identity theft prevention website in his article, as opposed to the link to the site where John Q. Public can access your personal information for the next year or so... don't you think?

Eighth, this is my first time using one of these response forums. What a tremendous waste of time. Do you guys really do this for fun. I have to admit, I was surprised Krebs responded so quickly to my first post. It makes me laugh to imagine him sitting poised and ready to pounce on the first negative comment to his article. I suppose it was his guilty conscience making him sweat. I bet he did a little fishing around on that site and made sure his information wasn't on it before he exposed it to the world. But, I'm a betting woman.

Ciao, boys. Do us a favor? Try to start thinking for yourselves. Believing everything you read or see on television is naive and makes you a simple little human.

Oh, BK... I forgot to mention... I did use a fourth alias. I was also HK. Some security specialist you have turned out to be. Tsk tsk.

It amazes me that anyone would read your stuff. I think your Krebbies (somehow that name I've just created for your fans sounds so appropriate) see you as some sort of heroic figure out to smite the worst of the worst in the digital underground. That's quite a quaint picture, no? I see you more as a mediocre writer who has been relegated to the lifeless computer security column by an editor with the foresight to recognize your flare for the impotent. But, don't let that get you down. Keep sensationalizing your subjects as much as possible. Your big break will come. Don't worry about silly little things like how your articles might negatively affect innocent people. That would just be, well... ethical.

I also LOVE the fact that you took the time to look up the IP addresses of those who comment negatively on your work. Classic. You are quite the delicate flower, Krebs. That is almost as good as you posting the link to the exposed identities and giving detailed information about how to mine the best data.

I know writers tend to be an insecure lot, but you take the cake. Does your editor know you do that? Does he or she condone you looking up the IP addresses of those who do not see eye to eye with your predictably arrogant views and posting little impotent zingers against them in a public forum?

Somebody you work with should get you a golden shovel, Krebs. Because you are always either digging a hole for yourself, or filling one in. Happy digging...

For the record, after banging my head against the wall with Maryland about this issue for some time, I alerted just about every news agency in the area about this situation. Brian was the only one who cared enough to get back to me.

In every email we exchanged, Brian was professional and understood what the problem was. He went to the people in charge and alerted them before the blog was published. The people in charge chose to do next to nothing.

If you have a beef, it should be with the State of Maryland for publishing this info and not removing it when they are told about what it contains.

Our Federal Government Agencies, who are supposed to be dedicated to protecting against ID Theft, are once again doing little or nothing to correct such problems. These States should have been put on notice to correct this posting of ID information years ago. My guess is the Agencies working to protect us citizens had no clue this information was being posted because they are not looking for problems. Perhaps they are understaffed or just lazy. Look at the sloppy work being done to protect your financial information and online bank accounts. The FFIEC knew for example that username and password alone was not secure, so they rolled out a set of guidelines for accessing online bank accounts when they should have released mandatory Regulations requiring proper accessing for such accounts. There are strong affordable security solutions available for protecting your financial accounts and information online but few institutions are using them because they don't have to. Instead we get told that an image, phrase, or some silly question will protect your account and they won't. I wish more Reporters would join Brian Kerbs efforts to expose these obvious flaws in security and force us to push the Government into properly fixing them.

Plze put down the gallon jug of haterade and attempt to think clearly.. Wait nm you are just some washed up pissed of angry white boy from texas who pretends that his is a journalist in his spare time. Then for fun tries to go out and attack real journalists to get his jollies.

ps taken from wikipedia

Reporters find sources for their work, their reports can be either spoken or written, and they are often expected to report in the most objective and unbiased way to serve the public good.

Your righwing blogs/rants/articles/mental diarrhea do not qualify as such. So i ask you for the good of all man kind please STFU and go back to "helping victims of identity theft" since that seems to be your day job. I let me guess you were in LifeLocks call center... (congrats on the soon to be outsourced jerb!)

The comments of "Zilla", AKA "Referee", "Done with Krebs" and "HK" remind us, as if we needed to know, that our society still harbors abrasive, immature, rude, bird-brained exhibitionist characters in greater number than most others in which I have lived and worked (about 30). Zilla, etc., says it is his first post, and if he has any sense of shame it should be his last. But he probably doesn't, so he will not doubt bite again on this one.

Brian Krebs has done the public a favor by showing how pervasively governments violate their own laws, and how difficult it is to persuade them to cease the offense; and also by contacting Susan Lee (a person I have worked with and respect highly) for the purpose of correcting Maryland's practice.

FYI, in the days when Maryland did place SS numbers on drivers' licenses and in other public places, I discovered that a form existed to have it excised. I took my completed form to the MVA and asked them to do so. Everyone there simply stared bug-eyed and said they knew no way it might be done. Then I mailed it to the head of MVA, copied to the governor, with a cover letter recounting these events. I never received a reply from MVA or the governor's office, and my request was never honored.